Gleick and the HP “Pretexting” Scandal

In 2006-7, officers and/or agents of Hewlett Packard were separately charged under California and federal law for their role in a “pretexting” scandal, a scandal in which an investigator impersonated HP directors and reporters in order to establish responsiblity for leaks of non-public information that appeared to originate from company directors.

Gleick’s impersonation of a Heartland director was a form of “pretexting”, though his alleged forgery and public dissemination of documents go well beyond the HP incident. On the other hand, Gleick’s fraud did not involve public utility records or use U.S. federal identification numbers; as a result, some counts in the HP case do not apply to Gleick, though most do (plus some others).

Most of the limited discussion of Gleick’s conduct has been based on federal law, but state criminal law is very much involved. Hewlett Packard is based in San Francisco and is subject to the same state law as Gleick’s Pacific Institute, located across the bay. In addition, identity theft offences can be charged in the state of the person impersonated.

Once the HP pretexting facts became public, state and federal investigations were quickly launched (as well as congressional hearings.) The dilatory response of authorities in the Gleick case stands in remarkable contrast.

I had noticed the Hewlett Packard case very early on (prior to Gleick’s confession) from googling “pretexting”. I had discussed it with Mosher at length. In addition to HP and the Pacific Institute both being Bay-area institutions, the Hewlett Foundation and the Packard Foundation were both important donors to the Pacific Institute. We concluded that Gleick was probably familiar with the general circumstances of the case from the extensive contemporary news coverage in the Bay area, particularly because the involvement of such an important donor. We concluded that Gleick would thus be familiar with at least the idea of “pretexting” – one of a number of tells that were “consistent” with Gleick, but not “proving” Gleick.

HP had first tried to pin down corporate leaks in 2005 without success. In January 2006, Patricia Dunn, HP Chair, instigated a second attempt to pin down the source of the corporate leaks. In this attempt, one of the investigators, Bryan Wagner, several layers removed from Dunn, impersonated various HP directors and various news reporters, thereby obtaining telephone records that identified George Keyworth, one of their directors, as the source. Dunn denied condoning or knowing of subsequent illegality and, although she lost her job, charges against her were eventually dropped.

Tom Perkins, the chair of HP’s corporate governance committee, had opposed Dunn’s inquiry. In May, he learned that Dunn had proceeded with the investigation anyway and resigned in protest. In its original SEC filing, HP recorded Perkins’ resignation as due to personal reasons. Perkins formally objected to this and formally objected to the minutes of the meeting at which he resigned. (His correspondence is here.) On Aug 11, Perkins received confirmation from ATT that his personal telephone records had been obtained by an investigator who had impersonated him and on August 18, formally complained once again to HP about their 8-K filing. On Sep 6, HP filed a revised 8-K (reported by CNET here). By this time, the state Attorney General had begun an investigation and had “informally contacted” HP.

The story quickly sparked a feeding frenzy with almost daily statements over the next few weeks from the California state investigators and the company. Five days later (Sep 11), both the U.S. attorney and the House Energy and Commerce Committee announced investigations. Joe Barton stated:

The Committee is troubled by this information, particularly given that it involves HP–one of America’s corporate icons–using pretexting and data brokers to procure the personal telephone records of the members of its Board of Directors and of other individuals without their knowledge or consent

Barton’s statement came about 6 weeks after the hearings of the same committee (and subcommittee) into the hockey stick affair. On Sep 12, Dunn announced plans to resign. The U.S. Attorney’s Office issued a statement as follows:

“The U.S. Attorney’s Office and the FBI in the Northern District of California are investigating the processes employed in an investigation into possible sources of leaks of Hewlett-Packard Company confidential information,

A broader SEC inquiry was announced on Sep 21. On Oct 4, California filed. (Charges here; see discussion below.) On Dec 7, in exchange for a $14.5 million payment to the state, California dropped criminal charges against HP and its officers. The proceeds were supposed to go to “finance a new law enforcement fund to fight violations of privacy and intellectual-property rights.”

On Jan 12, 2007, federal charges were laid against Wagner. Wagner pleaded guilty but his sentencing is still pending five years later (apparently investigations of his higher-ups are still ongoing.)

California Charges
California charges provide a precedent for the form of state charges that potentially apply in the Gleick case. California charges against Dunn and four others were laid under sections 538.5 (Fraudulent Wire Communication), 530.5 (Using personal identifying information of another to obtain credit, goods, or services in another’s name), 502(c)(2) (Wrongful use of computer data) and 182 (Conspiracy). A copy of the affidavit is here.

California section 538.5 does not appear to apply in the Gleick case since an essential element of the offence is obtaining data from a “public utility”, but the elements of the other offences appear to carry over. In addition, the Gleick case appears to meet the elements of state sections 528.5 and 530.

California Section 530.5 (one of the HP state charges) states:

530.5. (a) Every person who willfully obtains personal identifying information, as defined in subdivision (b) of Section 530.55, of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information without the consent of that person, is guilty of a public offense, and upon conviction therefor, shall be punished by a fine, by imprisonment in a county jail not to exceed one year, or by both a fine and imprisonment, or by imprisonment pursuant to subdivision (h) of Section 1170

Personal identifying information “as defined in subdivision (b) of Section 530.55” is defined very broadly and includes a person’s name (i.e. in the Gleick case, than name of the Heartland director that he impersonated.)

Section 502(c) (also used in the HP charges) prescribes an offence when computers are used to “wrongfully obtain” data:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

Section 528.5(a) defines an offence for impersonating another person for the purpose of harming or defrauding another person:

a) Notwithstanding any other provision of law, any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a public offense punishable pursuant to subdivision (d).

California section 530 is another impersonation offence in which property is received by the impersonator that is intended for the use of the person impersonated:

Every person who falsely personates another, in either his private or official capacity, and in such assumed character receives any money or property, knowing that it is intended to be delivered to the individual so personated, with intent to convert the same to his own use, or to that of another person, or to deprive the true owner thereof, is punishable in the same manner and to the same extent as for larceny of the money or property so received.

California Section 530.6(a) sets out procedures under which the impersonated Heartland director can initiate an investigation by a report to his local police. (Despite the “federalization” of much crime in the U.S. – certainly relative to Canada-, it appears that US states can work with one another.)

(a) A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another, as described in subdivision (a) of Section 530.5, may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence or place of business, which shall take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts. If the suspected crime was committed in a different jurisdiction, the local law enforcement agency may refer the matter to the law enforcement agency where the suspected crime was committed for further investigation of the facts.

Illinois State Law
In addition to California state law, Gleick’s identity theft may give rise to state offences in Illinois, where both Heartland and most of its directors are located.

(a) A person commits the offense of identity theft when he or she knowingly:
(1) uses any personal identifying information or personal identification document of another person to fraudulently obtain credit, money, goods, services, or other property,
…
(7) uses any personal identification information or personal identification document of another for the purpose of gaining access to any record of the actions taken, communications made or received, or other activities or transactions of that person, without the prior express permission of that person.

Recall that one of Gleick’s requests was for the re-transmission of the Board package sent to the Heartland director that he was impersonating. The previous email was forwarded to Gleick in its entirety, together with the packages, an event that would seem to fall rather squarely within the Illinois offence.

Illinois Section 16G-35 states that a proper venue for identity theft is the county where the impersonated person resides or has a place of business:

Venue. In addition to any other venues provided for by statute or otherwise, venue for any criminal prosecution or civil recovery action under this Law shall be proper in any county where the person described in the personal identification information or personal identification document in question resides or has their principal place of business.

Once an identity theft has been reported, Illinois Section 16G-30 requires law enforcement to either investigate the matter themselves or to seek the assistance of (California) law enforcement:

Mandating law enforcement agencies to accept and provide reports; judicial factual determination.
(a) A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence, which shall take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts.

Federal Law
Again, the charges against HP investigator Bryan Wagner provide precedent for the sort of liability that Gleick is exposed to. Federal charges against Wagner (see here) included 18 USC 371 (conspiracy); 18 USC 1028 (identity theft [with federal document]) and 18 USC 1343 (wire fraud). Wagner pleaded guilty to both charges though he has not yet been sentenced.

Federal section 1028 appears to require the use of a federal document or identification as an element of the offence. In Wagner’s case, he had used federal Social Security numbers, whereas Gleick simply used the director’s name. It doesn’t appear to me that the elements of federal section 1028 are met in Gleick’s case.

However, 18 USC 1343 does appear to apply to Gleick’s case, as I discussed in an earlier post in connection with Gleick’s obtaining of documents through identity theft, and additionally to Gleick’s dissemination (and likely authorship) of the fake memo, which Gleick falsely attributed to Heartland Institute. Both counts appear to fulful the elements of section 1343 (wire fraud):

Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both….

Wagner’s conviction under 18 USC 1343 in a pretexting case is a definite and relevant precedent.

Conclusion
The HP pretexting scandal offers an interesting precedent to Gleick’s case. Because Gleick’s case did not involve information from a public utility and did not use U.S. federal identification documents or numbers, some counts do not apply. But a number of offences charged in the HP pretexting appear to carry over with relatively little modification to Gleick’s case and, in addition, the elements of some other offences closely related to the HP offences appear to be satisfied in the Gleick case.

Going out on a limb, here… while the California and Illinois cites are good, Heartland might be able to file a federal case in any of the jurisdictions in which the 15 recipients of the Gleick email lived. That gives Heartland a rich opportunity to pick the jurisdiction most open to “politically-incorrect” organizations like their own.

I find it amusing that California law might be a petard upon which Gleick is hoisted. The California liberal-left has long pursued a legalism-on-steriods approach in its never-ending quest for Camelot. Slaughter a horse in California for human consumption? You’re a felon. Send a horse to Montana to be slaughtered for human consumption (there, not here)? You’re a felon. Send a horse to Montana that ends up being slaughtered for human consumption but you didn’t know that was going to happen (but you should have)? You’re a felon. Every now and then a law gets passed that does make sense, but there are so many of them that it’s more a matter of a stopped clock being right twice a day than a fruit of wisdom. This is the bed that the soulmates of Gleick have made for him.

BTW, I’d appreciate it if readers would help me collect the various bloodcurdling requests for prosecution of the Climategate “hacker”. Feel free to post quotes and links on this thread, which I’ll collect later. I have a few already, including some from Mann.

Update: Wesley Smith raises a point that I should have noted earlier. Hacking private email accounts is a crime and should be fully prosecuted. Questions should still be asked about the content of the emails but that has no bearing on the legitimacy of the tactics used to aquire the information.

Its one thing to commit fraud or a crime solely in the state of California, but
going into another state seems to make the case for Federal intervention, especially if Heatlands Directors or contributors are widely dispersed. The California law, by itself,
should be pretty tough.

It appears Dr. Gleick is liable for another Federal felony in addition to those Steve has listed. The email the good doctor sent, distributing the stolen and faked documents to his allies, said that he was going to delete the account he was sending it from. Deleting the account appears to be an instance of a Federal felony Wikipedia describes as “anticipatory obstruction of justice“. The Sarah Palin email hacker was convicted of that felony and a misdemeanor.

On January 30, 2012, Politico noted the hacker’s appeal of his conviction had been rejected:

It appears that when it comes to anticipatory obstruction of justice, Dr. Gleick’s violation of 18 U.S.C. § 1519 is just as calculated, and thus just as criminal, as that of the Sarah Palin email hacker before him.

I would argue, contrary to Mosh’s opinion, that Kernell’s offense, while serious WAS a political dirty trick and not as malicious as the crime Gleick committed. Gleick’s crime involved many more people– less powerful people who could be struggling in their careers and perhaps presently out of job and looking for work. The invasion of privacy was much more widespread. Yes, Kernell was attempting to influence the outcome of a presidential election, but the material released really didn’t hurt Palin from what I could see reading it. It was a minor embarrassment, no more damaging than the material that is regularly uncovered in a presidential campaign.

I don’t think that applies here. Gleick can say he has deleted an account, but all he really means is that he won’t be using that e-mail again. It’s like if I said I will be throwing away this cellphone, that doesn’t actually erase the records of the calls I’ve made.

I think there is really one degree of difference between the HP spying scandal and the Gleick/Heartland affair. Hewlett Packard was investigating [spying] on its own people in order to catch someone inside their organization [George Keyworth or who ever it really was] who was damaging them. The more direct comparison of the two scandals would be, hypothetically, if Heartland then resorted to some type of subterfuge to get the goods on Gleick.

The techniques use and the subsequent legal ramifications may be analogous, but the ‘pretexts’ are one order of difference removed.

I am not a lawyer, but I think 502(c) does not apply. To me, this reads like a law against “classic hacking”, where the target is a computer (e.g. hacking a password), and not when a computer is used (“pretexing” or social engineering) to trick a person, e.g. via email.

There should be broad laws of principle to cover fraudulent mis-representation (my term, I do not know laws, which do vary between fiefdoms, “pretext” seems milder but I presume comes from “false pretenses”).

I hope the average voter knows in their heart it is wrong.

PS: Amusing goof in the quote from Politico about David Kernell deleting computer records of his hacking of Sarah Palin’s email. I’m not expert enough to be absolutely sure, but I doubt “defragmented his hard disk” would erase traces of the files. I’d reformat, use a utility that repeatedly does something to the disk, or destroy the drive. (Yesterday by incinerating, today there is the someone less secure approach of shredding machines used for hard drives and portable devices.)

After thinking a bit, and to be explicit, it is obvious to anyone who has checked into it and used “defragmenting” that it is supposed to NOT lose data, but only to put the chunks of a file all in one area of the drive.

(Normally the o/s grabs space where-ever it can, with some logic that may try to spread use of the surface to maximise life, as a file is made up of small chunks of space on the disc – even if in one area, it can become scattered. Including because the file may have been made larger, especially if superseded data is still in the file (which Word and WordPerfect used to default to in order to have “quick save” – IIRC later versions default to not (such as SP3 to Office 2003).

Keith Sketchley, it’s true defragmenting should* not lose data. However, there is a distinction between the “data” you refer to and “traces of… files.”

When a file is deleted, the hard drive doesn’t suddenly lose it. Instead, it marks the portion of the hard drive that file was on as available for use. The file stays there, like that, until the space is reused. But until that space is reused, the file is still there. The data is still available.

When you reformat a hard drive, it moves files around, and thus, it can place files “over top” of the deleted ones. This destroys traces of the data the file contained even though the file may have been deleted for months beforehand.

Well… just to dive WAY down into the weeds: Brandon is correct, that defragging will (likely) overwrite some of the no-longer used file fragments that remain after a file is “deleted” by the OS – the problem is that it will not *reliably* overwrite any of them, and will undoubtedly not overwrite *all* of them. As well, when writing a current data file over a ‘marked as unused’ space that contains a “deleted” file a defrag will only write a single pass. There is generally enough of a magnetic trace from the former file (ie, a bit that nominally reads “1” may have ana ctual value coresponding to “0.85” – implying that the overwritten file contained a “0”) that a specialist can recover it. By comparison, a disk cleaner (say PGP/GPG ‘shred’ function, or similar) will overwrite *all* of the ‘marked as unused’ space (with random values), and will do so a number of times, so that the residual magnetic traces are simply random values.